In this section
1. Scope
The UK Statistics Authority and its executive office, the Office for National Statistics (ONS) process (including collecting, storing, using, deleting) a large quantity of personal data, principally for the purposes of producing aggregate National and official statistics and statistical research, and all our staff will likely come into contact with it in some way. Our data comes from a variety of sources such as mandatory and compulsory surveys and administrative sources in the public and private sectors.
We all have a responsibility to ensure that the special category personal data we hold is treated with respect, always kept secure and confidential, and that we comply with data protection legislation.
The policy considers:
What elements users should be aware of when collecting and using special category data for the production of statistics and statistical research from a data protection perspective.
How the ONS complies with the data protection principles to process special category personal data.
How the ONS will handle special category data that we process, our lawful basis and purpose of processing and the relevant condition for processing under UK GDPR (General Data Protection Regulation) and data protection law.
This policy applies to all UK Statistics Authority and ONS employees including staff on fixed term, temporary or permanent contract, staff on secondment, students, and contractors, and those who use our services (Secure Research Service, IDS etc.) who collect and use special category data for the production and statistical research.
Back to table of contents2. Background
Special category data is defined at Article 9 UK GDPR as personal data revealing:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data.
- Biometric data for the purpose of uniquely identifying a natural person.
- Data concerning health; or
- Data concerning a natural person's sex life or sexual orientation.
Criminal conviction data
Article 10 GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as 'criminal offence data.'
Back to table of contents3. Policy statement
The UK Statistics Authority takes data protection seriously and adheres to the UK GDPR principles, in all its business interactions that involve the processing of special category personal data. The UK GDPR principles state that personal data shall be:
Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
Accurate and where necessary kept up to date (Accuracy).
Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation); and,
Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction, or damage (Security, Integrity and Confidentiality).
We are also responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
Back to table of contents4. Policy detail
As part of the ONS's statutory functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation ('GDPR') and Schedule 1 of the Data Protection Act 2018 ('DPA 2018').
When the ONS is collecting and processing special category personal data and criminal offence data it does so under the lawful processing condition outlined in under Article 9(j) of the UK GDPR: "Processing is necessary for archiving in the public interest, scientific or historical research purposes or statistical purposes based on UK law."
Examples of our processing include the collection of special category data to support the Census and our work around the Covid-19 pandemic.
Back to table of contents5. Practices
Data protection by design and by default
The UK Statistics Authority ensures that the principles and practices of data protection are built into all special category processing activities, and that the rights and freedoms of individuals are given consideration at all times.
Extra protection should be provided, as necessary, to the data of individuals who may be considered vulnerable. Vulnerability can be considered to exist where circumstances may restrict an individual's ability to freely consent or object to the processing of their personal data, to understand its implications, or where there is an imbalance of power in the relationship between the individual and the Authority.
Data minimisation
Special category data is only be processed where it is necessary to achieve the aims of the organisation. Only the minimum amount of special category personal data required to achieve the aim is used. Special category personal data is de-identified or anonymised at the earliest opportunity and in accordance with best practice.
Data retention
Special category personal data is be held only for so long as they continue to enable or assist the UK Statistics Authority undertake its functions under Article 5(1)(e) of the UK GDPR, which states that "personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)." ONS will only continue to hold personal data where it is still used to produce statistics. In addition, ONS will also de-identify or anonymise data at the earliest opportunity it can without compromising its utility.
Data security
The UK Statistics Authority shall implement technical and organisational measures to ensure a level of security appropriate to the special category personal data being processed. Any measures put in place are regularly reviewed.
Personal data breaches
All breaches that present a risk to the rights and freedoms of individuals, as determined by the Data Protection Officer, shall be reported to the Information Commissioner at the earliest opportunity and in any event no later than 72 hours from discovery. Where a breach represents a high risk to individuals, the UK Statistics Authority shall notify all data subjects concerned. All staff who may become aware of a personal data breach must report the breach to the Data Protection Team (DPO@Statistics.gov.uk) immediately and include that the data are special category data (if relevant).
Records of processing activity
All information assets which contain special category personal data will be recorded on the Information Asset Register (IAR) and regularly reviewed to maintain an accurate and up to date record of processing activity.
Data protection impact assessments
When introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals, noting that such risk will be inherently higher where special category personal data is being processed, the UK Statistics Authority business areas will undertake an impact assessment to identify and mitigate those risks and seek guidance from the Data Protection Officer if required.
Transparency
The UK Statistics Authority will provide data subjects with all the information they require to constitute fair processing, at the point of data collection. Where special category data are collected from administrative sources this information will be provided to data subjects within one month, unless to do so would be disproportionate effort. In addition, and where possible, such information will also be published on ONS website.
Processors
The UK Statistics Authority will only use data processors capable of providing sufficient guarantees in relation to security of personal data and data protection legislation compliance.
International Data Transfers
Where the UK Statistics Authority transfers personal data internationally, it will only do so where an adequacy regulation is in place, or a safeguard or derogation is used. Where derogations are used, the organisation shall seek the advice of the Data Protection Officer.
Data Protection Officer (DPO)
The UK Statistics Authority has in place a suitably trained and experienced Data Protection Officer to provide advice and guidance on all matters related to data protection. The DPO will report directly to the National Statistician and will have no other duties that may cause a conflict of interest.
Training
All staff who process special category personal data receive adequate and regular training in data protection. Data Protection training is mandatory, and Line Managers will be responsible for ensuring their staff complete the training.
Compliance
All staff, contractors and others working on behalf of UK Statistics Authority and its executive office, the ONS, are required to comply with this policy. Compliance with the policy will be monitored by the Data Protection Officer.
The Information Commissioner
The UK Statistics Authority will provide support and assistance as required by the Information Commissioner in the fulfilment of their tasks.
Back to table of contents6. Roles and responsibilities
National Statistician/Statistics Board
The National Statistician and the Statistics board are responsible for the organisational compliance with data protection legislation and are ultimately accountable to Parliament.
Data Protection Officer (DPO)
The DPO monitors compliance and provides advice and guidance to the organisation on all matters relating to data protection. The DPO reports to the National Statistician.
Data Protection Compliance and Audit (DPCA)
The DPCA (Data Protection Compliance and Audit) team within Data Governance Legislation and Policy branch, reports to the DPO and monitors and audits the organisation's compliance with data protection. The team will also provide advice and guidance to the organisation.
Legal Services
Providing support to the Data Protection Officer and accountable to the National Statistician.
Chief Security Officer (CSO)
The Chief Security Officer (CSO) and their team ensure organisational services utilising special category personal data are compliant and are accountable to the National Statistician.
Departmental Records Officer
Ensuring records management, document storage and providing advice and is accountable to Chief Security Officer.
Information Asset Owner/Data Steward
The Information Asset Owner and Data Steward role holders are responsible and accountable for data governance activities assigned to them as part of their appointment to the role. Data governance duties relating to this policy include:
Responsibility for decisions on use, transfer and access requests for data assets which contain special category data, oversight around associated processing activities.
Decision-making in relation to project or user accreditation relating to access to special category data.
Ensuring a data sensitivity assessment has been undertaken for assigned data assets which contain special category data and that associated risks are managed accordingly.